v0.24.0

New: Lazy Secret Resolution

Secrets are no longer fetched from providers at pipeline-build time. Each resolver now validates its static configuration on startup and returns a deferred fetch that fires on the first matching request. Results are cached per the source's configured TTL; initial-fetch failures are also cached for the source TTL (default 30 s) so a slow or unavailable backend is not hammered on every request. Existing serve-stale-on-refresh-error behavior is preserved.

New: require on Secret Inject

The require option now applies to inject steps in addition to replace. Setting require: true rejects the request when the secret cannot be resolved; require: false silently skips the step and adds a secret_unavailable annotation to the audit log. This replaces the previous behavior where any resolve failure unconditionally returned a 502.

secrets:
  transforms:
    - inject:
        header: "Authorization"
        value: "Bearer {{vault.my-token}}"
        require: false   # skip silently if unavailable

New: Hot-Swap MCP Policy

MCP policy can now be updated without restarting the proxy. Policy is held in an atomic PolicyHolder so each request snapshots the current policy at start and stays consistent across request and response evaluation. Parse or compile errors on an incoming policy are logged and the prior policy is preserved — matching the existing behavior for transform pipeline errors. Standalone mode continues to use YAML as the source of truth, and the /v1/reload management endpoint now reloads MCP policy alongside the transform pipeline.

Changelog

• 4170547 feat(secrets): resolve lazily and add require to inject (#109)
• cbd04b7 feat(mcp): hot-swap MCP policy from control plane sync (#108)